Authentication

Every request to the Arbitrum One API on TheRPC must include an API key — it authenticates you and links each call to your plan's quotas and usage metrics. This guide walks through obtaining a key from the dashboard, passing it correctly in the Authorization header on calls to arbitrum.therpc.io, securing it with environment variables and rotation, and recognizing the error responses you get when authentication fails.

Getting an API Key

• Sign up for a free account at TheRPC.io
• Open the Dashboard once you are signed in
• Go to the API Keys section
• Generate a new key and use it with the Arbitrum One endpoint https://arbitrum.therpc.io/YOUR_API_KEY

Using Your API Key

Your key travels in the Authorization header using the Bearer scheme — Authorization: Bearer YOUR_API_KEY. Every single request to the Arbitrum One endpoint must include this header; a call without it, or with a malformed value, is rejected before it reaches chain 42161.

HTTP Headers

1Authorization: Bearer YOUR_API_KEY

Example Requests — curl

1curl --request POST 'https://arbitrum.therpc.io/YOUR_API_KEY' \
2  --header 'Content-Type: application/json' \
3  --header 'Authorization: Bearer YOUR_API_KEY' \
4  --data '{
5    "jsonrpc": "2.0",
6    "method": "eth_blockNumber",
7    "params": [],
8    "id": 1
9  }'

Example Requests — JavaScript

1const response = await fetch('https://arbitrum.therpc.io/YOUR_API_KEY', {
2  method: 'POST',
3  headers: {
4    'Content-Type': 'application/json',
5    Authorization: `Bearer ${API_KEY}`,
6  },
7  body: JSON.stringify({
8    jsonrpc: '2.0',
9    method: 'eth_blockNumber',
10    params: [],
11    id: 1,
12  }),
13});

Security Best Practices

• Never commit your Arbitrum One API key to source control — keep it out of Git and CI logs
• Do not paste keys into public forums, issue trackers, Discord, or chat threads
• Store keys in environment variables or a dedicated secret vault, never hardcoded in client code
• Rotate keys periodically, and revoke any compromised key immediately from the dashboard
• Use separate keys per environment and per application (for example dev, staging, and production)
• Monitor each key's usage in the dashboard to spot unexpected traffic against chain 42161 early

Error Handling

When authentication fails, the Arbitrum One API returns a JSON-RPC error object with a negative code and a descriptive message instead of a result (see the example below). The most common causes are a missing Authorization header, an invalid or malformed key, a key that has expired or been revoked from the dashboard, and exceeding your plan's rate limit. Check the error.message to tell these apart quickly.

Authentication Error Response

1{
2  "jsonrpc": "2.0",
3  "error": {
4    "code": -32001,
5    "message": "Invalid authentication credentials"
6  },
7  "id": 1
8}

Environment Setup

The recommended setup is to load your Arbitrum One API key from an environment variable rather than hardcoding it in source. Keep the key in a .env file that is excluded from version control, and read it at runtime — the Node.js and Python snippets below show the pattern for pointing your client at arbitrum.therpc.io safely.

Environment Variables — .env

1# .env file
2THERPC_API_KEY=your_api_key_here

Configuration Examples — Node.js

1require('dotenv').config();
2const API_KEY = process.env.THERPC_API_KEY;

Configuration Examples — Python

1import os
2from dotenv import load_dotenv
3 
4load_dotenv()
5API_KEY = os.getenv('THERPC_API_KEY')